The Center for Education and Research in Information Assurance and Security (CERIAS)
The Center for Education and Research inInformation Assurance and Security (CERIAS)
Eugene Spafford, a professor at Purdue University and founder and executive director of the Center for Education and Research in Information Assurance and Security, said the real problem is the belief that flawed systems can be secured retroactively, either by add-ons or by compelling users to act in ways they are not used to.
Even if agencies have policies to provide training, they are often too specific or too ambiguous, he said. For example, take the “don’t open any suspicious e-mails” approach. What exactly constitutes a suspicious e-mail message? Many of the social engineering attacks occurring today are designed to not look suspicious, Spafford said.
“The approach that’s currently been taken is sort of the equivalent of telling employees, ‘when you come to work, don’t open any square blue boxes.’ But then someone sends in square red boxes, and they all get taken,” he said.
The federal government’s efforts to transition to cloud-based services and technologies could also mean more security problems, he suggested. Following trends or big pushes to save money often mean that security issues fall lower on the priority ladder.
“That’s partly why we have vulnerable systems today, because the idea was, ‘we’ll buy whatever is the cheapest thing on the market’ to save money rather than actually thinking through building a strong, secure infrastructure,” Spafford said.
Some of the security industry’s biggest minds will gather Nov. 7-9 at San Diego for a conference dripping with acronyms, computer jargon and geek-speak. The conference is the jamboree of APWG — Anti-Phishing Working Group to those not initiated into the mysteries of cybercrime terminology. A keynote address by Eugene H. Spafford, professor of computer sciences at Purdue University, will review new technologies and systems being used to protect Internet works and data resources.
Sandia National Labs Director to Speak on National Security Challenges
November 30th Free and Open to the Public 9am - 10:30am Krannert Auditorium Purdue University West Lafayette, IN
As director of VACCINE, a Department of Homeland Security Center of Excellence, David Ebert’s goal is to help our nation’s 2.3 million extended homeland security personnel, including first-responders, perform their jobs more effectively by turning mass amounts of data into manageable information.
President Obama issued an executive order Friday that establishes an Insider Threat Task Force to prevent potentially damaging and embarrassing exposure of government secrets, such those made public by WikiLeaks.
Eugene Spafford, executive director of Purdue University’s Center for Education and Research in Information Assurance and Security, said the president’s action was long overdue. “Why haven’t they been doing this already?” asked Spafford, who has testified before Congress on IT security matters. “This is at least 10 years too late, if not 20.”
A focus on securing legacy IT architectures rather than on developing secure technology has created an untrustworthy environment that eventually will drive users offline, said Purdue University professor Eugene Spafford.
Lawmakers frequently introduce cybersecurity bills in Congress, but usually they fade away and never become law, despite the apparent need for them by high-profile breaches that seem to occur week after week. Eugene Spafford, executive director of Purdue University’s Center for Education and Research in Information Assurance and Security, sees Congress’ committee structure as a deterrent in getting cybersecurity legislation passed. Various committees in both houses claim jurisdiction over different aspects of IT security, and intra-house squabbling can cause a bill to get lost on its way to becoming law.
